DoD defense contractor Stark AeroSpace potentially breached by INC ransomware


Stark Aerospace, a US-based missile systems and aerial weapons manufacturer contracted with the US Military and the Department of Defense (DoD), has been claimed by the INC ransom group.

The ransomware gang posted Stark Aerospace on its dark leak blog on Thursday, claiming to have a whopping 4TB of data – including source code, design plans, employee passports, and firmware for all the UAVs produced.

Headquartered in Mississippi, Stark Aerospace is a world leader in the design and manufacture of technologically sophisticated defense systems, according to its website.

ADVERTISEMENT

The defense contractor – whose company tagline is “What We Do Protects & Saves Lives,” is also chock full of ultra-sensitive data that could be deadly if gotten into the wrong hands, especially the hands of adversarial nations, such as Russia, China, and North Korea.

Cybernews has reached out to Stark Aerospace and is waiting for a response at the time of this report.

Stark Aerospace INC leak site
INC leak site. Image by Cybernews.

Sensitive weapons data galore

Besides providing for the DoD’s Missile Defense Agency and Irregular Warfare Technical Support Dictorate, the weapons systems manufacturer also lists Boeing, General Dynamics, the US Marine Corps Warfighting Laboratory, and the US Naval Seas Systems Command as customers.

It’s another blow to the US government, whose various agencies and elected officials have been plagued by third-party contractors infiltrated by nation-state threat actors, such as the hack of the US Treasury last month.

Understanding the treasure trove of data allegedly stolen in the attack, INC Ransom posted a note listing the content of the massive cache in question – along with a "proof pack" of close to 40 file samples allegedly exfiltrated from the aerospace company.

Stark Aerospace INC leak sample
INC leak site. Image by Cybernews.
ADVERTISEMENT

“We have a full range of design documentation, source codes of software environments developed by you, including firmware of all types UAVs you produce, information on contracts with the Department of Defense and other military contractors,” the Russian-linked gang wrote.

INC further boasted of having “supply chain information, and technology partners, codes and parts numbers of the entire component base, building plans and scientific works used by you to manufacture of its products [sic].”

Furthermore, the threat actors claimed to have copies of the passports of the company’s instructors, “who fly to hot spots for training and presentations.”

The gang also said it has sensitive information on production programs, reconnaissance satellites, and documents pertaining to Stark’s parent holding company IAI North America, which is the US subsidiary of Israel's largest aerospace and defense company, Israel Aerospace Industries Ltd. (IAI).

Finally, the nefarious group said it also had "at its disposal" copies of Stark websites, virtual laboratories, and the configuration of Stark’s cybersecurity tools.

jurgita Niamh Ancell BW Marcus Walsh profile vilius
Get our latest stories today on Google News

The group threatens to sell the stolen files “to interested parties” if Stark Aerospace does not cooperate, although the ransomware cartel did not give the company a deadline for doing so.

In addition to missile systems, Stark’s current work includes loitering munitions – an aerial weapon with a built-in warhead, commonly referred to as suicide or kamikaze drone – and electronics & avionics assembly and repair, including for naval navigation systems.

Some of the sensitive technology held by Stark Aerospace is used for military surveillance, border patrol, maritime surveillance, environmental monitoring, and infrastructure inspection, including critical infrastructure such as bridges, power lines, and pipelines.

In October 2024, Stark was awarded a 61 million contract with the US Navy's Seas Systems Command to produce missile canisters, which protect the missiles while in transit, according to a report by Mississippi news outlet The Dispatch.

ADVERTISEMENT

Who is INC Ransom?

The INC Ransom group was first noted by security researchers in July 2023. The group is known to target corporate organizations primarily in the US, UK, and Australia, including in the healthcare, education, and government sectors.

Ransomlooker graph - Meow and INC Ransom
Image by Cybernews.

According to Ransomlooker by Cybernews, INC Ransom claims to have victimized at least 135 organizations over the last 12 months, including Califonia's Tri-City Medical Center last month, the San Francisco Ballet, the San Francisco Sheriff's Department, the City of Leicester in England, the NHS Dumfries and Galloway Health Board of Scotland, and the Xerox Corporation in December 2023.

The gang, often using spear phishing attacks to compromise its victims, is considered a multi-extortion operation – which means it not only encrypts and steals its target’s data but then threatens to publish it online if the victim doesn’t pay up.